topic Re: How to configure SSL universal forwarder and receiver? in Getting Data In

How to configure SSL universal forwarder and receiver?

atixx — Wed, 27 Aug 2014 08:06:43 GMT

hey

I configure an SSL forward.
But I have this error :

Forwarder - Error :

TcpInputConfig - SSL clause not found or servercert not provided - SSL ports will not be available
ERROR SSLCommon - Can't read certificate file /root/ca/requests/splunk3-key.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line
08-27-2014 09:29:16.110 +0200 ERROR TcpOutputProc - Error initializing SSL context - invalid sslCertPath for server 2.2.2.2:1000

Receiver -error :

08-27-2014 09:42:16.327 +0200 ERROR SSLCommon - Can't read certificate file /root/ca/extern/splunk3-key.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line
08-27-2014 09:42:16.327 +0200 ERROR TcpInputConfig - SSL server certificate not found, or password is wrong - SSL ports will not be opened
08-27-2014 09:42:16.327 +0200 ERROR TcpInputConfig - SSL context not found. Will not open splunk 2 splunk (SSL) IPv4 port 1000

In receiver :

/root/ca/extern/:
-rw------- 1 root root 1919 Aug 27 08:25 cacert.pem
-rw------- 1 root root 1751 Aug 27 08:25 splunk3-key.pem

inputs.conf

[splunktcp-ssl://1000]
    compressed = true
    connection_host = 1.1.1.1
    queueSize=1MB
    persistentQueueSize=4GB
    _TCP_ROUTING = splunk3-ad

[SSL]
    password = my_password
    requireClientCert = false
    rootCA = /root/ca/extern/cacert.pem
    serverCert = /root/ca/extern/splunk3-key.pem

In forwarder :

/root/ca/requests:
-rw-r--r-- 1 root root  960 Aug 27 08:15 splunk3-cert.csr
-rw-r--r-- 1 root root    0 Aug 27 08:16 splunk3-cert.pem
-rw-r--r-- 1 root root 1751 Aug 27 08:12 splunk3-key.pem

outputs.conf

[tcpout]
    backoffOnFailure = 5
    channelReapInterval = 60000
    channelReapLowater = 10
    channelTTL = 60
    compressed = true
    defaultGroup = syslog-ad,file-rweb
    dnsResolutionInterval = 300
    negotiateNewProtocol = true
    readTimeout = 900
    useACK = true
    writeTimeout = 5
    indexAndForward = 0

[tcpout:syslog-ad]
    server = 2.2.2.2:1000
    maxQueueSize = 10MB
    dropEventsOnQueueFull = -1
    sslCertPath = /root/ca/requests/splunk3-key.pem
    sslPassword = my_password
    sslRootCAPath = /root/ca/cacert.pem
    usesslCompression = true
    sslVerifyServerCert = false
    #useClientSSLCompression = true

Someone have any ideas ?

Thanks

Re: How to configure SSL universal forwarder and receiver?

DerekKing — Wed, 27 Aug 2014 08:33:24 GMT

Hi,

I'm not sure on your specific error, but it could be down to missing or incorrectly placed private keys.

Have a look at this wiki, and see if it helps. I'm sure someone more educated than me will be along to help with more specifics soon.

http://wiki.splunk.com/Community:SplunkWeb_SSL_SelfSignedCert_NewRootCA

Regards
Derek

Re: How to configure SSL universal forwarder and receiver?

atixx — Wed, 27 Aug 2014 09:42:40 GMT

I try this :

mkdir mycerts
export OPENSSL_CNF=/opt/splunkforwarder/openssl/openssl.cnf 
cd mycerts/
openssl genrsa -des3 -out myCAKey.key 2048
openssl req -new -key myCAKey.key -out myCACert.csr
openssl x509 -req -in myCACert.csr -signkey myCAKey.key -out myCACert.pem -days 3650
openssl genrsa -des3 -out slk-private.key 2048
openssl rsa -in slk-private.key -out slk-private.key 
openssl rsa -in slk-private.key -text
openssl req -new -key slk-private.key -out slk-Cert.csr 
openssl x509 -req -in slk-Cert.csr -CA myCACert.pem -CAkey myCAKey.key -CAcreateserial -out slk-Cert.pem -days 1095
cat slk-Cert.pem myCACert.pem > slk-conc-Cert.pem

And in conf file (outputs), modifying path :

sslCertPath = /opt/splunkforwarder/etc/auth/mycerts/slk-conc-Cert.pem
sslPassword = my_password_no_hash
sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/myCACert.pem

Logs outputs / errors :

08-27-2014 11:33:03.403 +0200 ERROR SSLCommon - Can't read key file /opt/splunkforwarder/etc/auth/mycerts/slk-conc-Cert.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.
08-27-2014 11:33:03.403 +0200 ERROR TcpOutputProc - Error initializing SSL context - invalid sslCertPath for server 2.2.2.2:1000

Old erros with old certificates :

TcpInputConfig - SSL clause not found or servercert not provided - SSL ports will not be available
ERROR SSLCommon - Can't read certificate file /root/ca/requests/splunk3-key.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line
08-27-2014 09:29:16.110 +0200 ERROR TcpOutputProc - Error initializing SSL context - invalid sslCertPath for server 2.2.2.2:1000

It's better than before, but not working.

Re: How to configure SSL universal forwarder and receiver?

DerekKing — Wed, 27 Aug 2014 10:21:32 GMT

Have you generated the private key on the right server ? It looks to me like you generated it on the forwarder ?

The key generation should be done on the Indexer I believe.

Derek